E-Banking Fraud Schemes:
Attack Trends and Defenses
Andrew Showstead,
VASCO Data Security
E-Banking Fraud Schemes
Agenda
› Attack trends
› Phishing attacks
› Spyware attacks
› Man-in-the-middle (MITM) attacks
› The cybercrime black market
› Defense mechanisms
› One-time passwords
› Electronic signatures
› User education
› Conclusion
E-Banking Fraud Schemes
Phishing
Computer Malware & Countermeasures
Phishing attacks: introduction (2/2)
Phisher $$$
8
2
7
End-user E-banking
6
server
3
4
Phishing
5 webserver
1
E-Banking Fraud Schemes
Why phishing works
› Technologies for server authentication exist
› E.g. SSL/TLS with X.509v3 certificates
› Study by Harvard University & UC Berkeley (4/2006)
› Security indicators are not noticed or understood
› Security indicators can be spoofed
Participants Success rate
Website content only 23% 40%
Also address bar 36% 61%
Also “https” 9% 63%
Also padlock icon 23% 79%
Also certificates 9% 76%
E-Banking Fraud Schemes
Context-aware phishing (1/4)
› Also called “spear phishing”
› Phishing attack against:
› Employees of certain company, agency, organization, ...
› People using a certain product or service
› Spear phishing e-mails are more convincing:
› Include personal information
› Appear to come from known person (e.g. IT, head of HR, head
of Sales and Marketing)
› Information sources:
› Compromised databases
› monster.com (1.3M job seekers, 8/2007), USAJobs.com
(146K job seekers, 8/2007), Salesforce.com (11/2007)
› Social networking sites (e.g. LinkedIn, FaceBook, MySpace)
E-Banking Fraud Schemes
Context-aware phishing (2/4)
E-Banking Fraud Schemes
Context-aware phishing (3/4)
E-Banking Fraud Schemes
Context-aware phishing (4/4)
E-Banking Fraud Schemes
Context-aware phishing (5/6)
E-Banking Fraud Schemes
Context-aware phishing (6/6)
› Reported case: (9/2006)
› Step 1: information gathering
› Attackers broke into computer systems of
› Attackers stole information of 19,000 customers
› Step 2: information usage
› Attackers sent e-mail to customers, including personal
information and a claim about recent order requiring the
customer’s attention
› Customers were led to website and asked for more
information
E-Banking Fraud Schemes
Effectiveness of Spear Phishing
› Gartner: non-targeted phishing
› 19% clicks on link in e-mail
› 3% gives away personal information
› Indiana University (US): targeted phishing
› E-mail from friend: 72% gives away personal information
› E-mail from unknown student: 16% gives away personal
information
› West Point Military Academy (US): targeted phishing
› E-mail from colonel to cadets: 80% gives away personal
information
E-Banking Fraud Schemes
Whaling (1/4)
› Definition
› Spear phishing attack against high-level executives in a
single organization, or executives common to different
organizations (e.g. CEO, CIO, PM)
› May involve e-mail, postal mail, ...
E-Banking Fraud Schemes
Whaling (2/4)
E-Banking Fraud Schemes
Whaling (3/4)
› Reported case: MessageLabs (6/2007)
› MessageLabs intercepted 500 highly targeted
e-mail messages with Word-document
› Name and job title in subject line
› Family and friends were targeted as well in order to
access home computers
E-Banking Fraud Schemes
Whaling (4/4)
BBB (SecureWorks, 5/2007 and MessageLabs, 11/2007)
Federal Trade Commission (11/2007)
United States Department of Justice (Websense, 11/2007)
E-Banking Fraud Schemes
Optimizing delivery of phishing e-mails
› Common phishing protection mechanisms:
› Spam filter: detect phishing e-mails before end-user’s inbox
› Browser: warn end-user when visiting phishing server
› Based on blacklisting URLs of known phishing servers
› Report phishing website at http://www.PhishTank.com
E-Banking Fraud Schemes
Preventing Blacklisting
› URL variations
› http://www.secure-bank.com:80
› Randomized subdomains
› Unique URL per user / number of users
› http://www.barclays.co.uk.X.lot80.info/ (X: random number)
› Allows tracking end-user responses
E-Banking Fraud Schemes
Alternative channels (1/2) - vishing
› Voice (phone) phishing
› Two types:
1. Fraudster calls end-user and asks
for credentials
2. End-user is tricked to call fraudster
(via e-mail, voice mail)
› Strengths:
› Telephone systems have longer
record of trust
› A greater percentage of people can
be reached (e.g. elderly)
› People are used to automatic
answering services
› Making or receiving calls is cheap
› Caller ID can be spoofed
E-Banking Fraud Schemes
Alternative channels (2/2) - smishing
› SMS phishing – phishing with
text messages
› Process:
1. End-user receives SMS telling
him that
› he has successfully
subscribed to a service,
› he will be charged for the
service,
› he can visit a website to
unsubscribe from a
service
2. End-user visits website and
provides sensitive information
Pharming
Pharming (1/7)
› Interfere with the resolution of a domain
name to an IP-address so that domain name
of genuine website is mapped onto IP-
address of rogue website
www.barclays.co.uk www.google.co.uk
213.219.1.141 64.233.183.99
E-Banking Fraud Schemes
Pharming (2/7) – hosts file poisoning
E-Banking Fraud Schemes
Pharming (3/7) – hosts file poisoning
› Adding {domain name, IP-address} pairs to hosts file
› Method:
› Hosts-file contains {domain name, IP-address} pairs
› Windows XP/Vista: %SystemRoot%\system32\drivers\etc
› DNS resolver looks up hosts file on end-user’s PC prior
to contacting DNS-server
E-Banking Fraud Schemes
Pharming (5/7) – DNS cache poisoning
› Unsolicited information in replies is accepted
› Example: a DNS-server can provide an IP-address for
www.real-bank.com although the address of www.mock-
bank.com was asked
IP of www.mock-bank.com?
1
Rogue DNS-server
End-user PC 2
www.mock-bank.com is at 134.58.7.20
www.real-bank.com is at 134.58.7.20
E-Banking Fraud Schemes
Drive By Attacks – Samy is My Hero
› MySpace Worm
› Added users to Samy’s Friends list without authorization by user
› Added text “but most of all, Samy is My Hero” to user pages
› Propogation:
› Author originally had 73 “friends”
› 7 hours later, 221 new friend requests
› 13 hours: 2,503 friends and 6,373 friend requests
› After about 18 hours, over 1,005,831 new friend requests
› Response
› MySpace – complete service shutdown
› “Samy” sentenced to 3 years probabtion and community
service – Internet ban
E-Banking Fraud Schemes
Drive By Attacks – Samy is My Hero
E-Banking Fraud Schemes
Pharming (6/7) – drive-by pharming
› Technique to alter DNS settings of (wireless) home router
› Method:
1. User downloads web page containing Java applet and JavaScript
2. Java applet detects IP-address of host and addressing scheme
3. JavaScript pings other hosts and discovers brand of router
4. JavaScript accesses configuration screens using default
passwords
› Reported case: Mexican bank (1/2008)
› Attack on 2wire router
› Victim receives e-mail saying e-card waiting at
www.gusanito.com
› E-mail contains HTML IMG tag resulting in HTTP GET to home
router; no HTTP-authentication required
› HTTP GET changes DNS settings of router (XSRF attack)
E-Banking Fraud Schemes
Fast-flux service networks (1/2)
› Basic components of phishing infrastructure
› One or more web-servers to host rogue website
› One or more domain names, e.g. www.my-bank.info
› Popular top-level domains: .hk, .cc and .info
› One or more DNS-servers, which are configured to be
authoritative for the registered domain names
› Phishing infrastructure requirements:
› High availability
› Website should not be taken down too soon by bank or ISP
› Easily manageable
› Webpages should not be dispersed among too many web
servers
› Can be realized using fast-flux approach
E-Banking Fraud Schemes
Fast-flux service networks (2/2)
› Simple fast-flux
Web server
Request 9
8 Webpage
webpage
DNS-server for
mybank.com
129.47.6.5 134.158.7.10 157.120.9.15
5 Botnet
IP of www.mybank.com? www.mybank.com is
4 at 134.157.7.10 Request
10 Webpage
webpage 7
IP-address of DNS- www.mybank.com is
server for mybank.com at 134.158.7.10
3 6
End-user PC
DNS-server 2 1
for .com Local
IP of www.mybank.com? IP of www.mybank.com?
DNS-server
E-Banking Fraud Schemes
Spyware
Spyware
› Definition of spyware attack
› Attempt to fraudulently obtain sensitive information such as
usernames, passwords and credit-card details, by covertly
intercepting information exchanged during an electronic
communication
End-user Adversary $$$
7
1 6
5
4
2
E-banking
End-user’s PC 3 server
E-Banking Fraud Schemes
Bank Trojans
› Designed to obtain bank credentials (since mid-2004)
› 4 main functions:
› Monitoring
› Harvest data when user visits banking website efficiency
› Filter list: www.citibank.com , /TAN/ , “Welcome to Citi”
› Spying
› Capture user’s banking credentials
› Hiding
› Ensure Trojan cannot be detected by security software
› Updating
› Regular update of filter list from control server
E-Banking Fraud Schemes
Monitoring techniques (1/3)
› Browser Helper Objects (BHOs)
› Lightweight DLL extension adding custom functionality to IE
› Confirm to Common Object Model (COM)
› Loading of BHO into IE
› At start-up IE loads COM objects whose CLSID is present in
certain Windows registry key
› Allows eavesdropping on browser events and user input
› InfoStealer Trojan
› MITM Attacks
E-Banking Fraud Schemes
Monitoring techniques (2/3)
› Hooking WinInet API functions
› WinInet.dll: Windows implementation of HTTP(S),FTP
› Hooking:
› Call to function in WinInet.dll passes via Trojan (redirection)
› Trojan has read/write access to payload of function
IExplore.exe Trojan.dll WinInet.dll
45789
Call HTTPSendRequestA 12345
HTTPSendRequestA HTTPSendRequestA
Import Address Table …
Get payload
HTTPSendRequestA is
HTTPSendRequestA is
Call 12345
at
at address 45789 address 12345
E-Banking Fraud Schemes
Monitoring techniques (3/3)
› Winsock’s Layered Service Providers (LSP) architecture
› WinSock.dll: Windows implementation of TCP/IP
› Applications performing network operations load WinSock
› Additional libraries can be loaded into WinSock
› Benign applications:
› Parental control: content filtering
› Application-transparent encryption
› Malign applications:
› Eavesdropping on network communication
› Altering financial transaction data
E-Banking Fraud Schemes
Spying techniques
› Form grabbing
› Trojan captures only data that is entered into web form
› Common techniques: BHOs, API hooking
› Injection of fraudulent pages or fields
› Trojan modifies HTML-pages coming from bank on-the-fly
› Inserts additional fields or modifies destination of “Log on”
button
› Trojan receives HTML-pages from control server
› Screenshots and video captures
› Keylogging
› Trojan is triggered when user visits certain URL
› Only data entered into webpage is logged
› Note: techniques defeat SSL, virtual keyboards, ...
E-Banking Fraud Schemes
Example: Infostealer.Banker (1/2)
› Installation
› Registration of BHO in Windows registry
› Generation of random number as ID for infected PC
› Registration of ID at server via PHP-script
› Operation
› BHO contacts server for updated “help.txt”
› BHO listens for connections to URLs in “help.txt”
› When BHO detects connection to certain URL
› BHO looks in “help.txt” for HTML-code to be injected
› BHO injects HTML code
› Browser displays modified webpage
› When user enters credentials into modified webpage, BHO calls
PHP-script to upload credentials to server
E-Banking Fraud Schemes
Example: Infostealer.Banker (2/2)
E-Banking Fraud Schemes
Man-in-the-middle Attacks
Man-in-the-middle attack
› Real-time interception and modification of
information interchanged between two entities
without either entity noticing
› Uses phishing and/or spyware techniques
E-banking
End-user MITM
server
› Man-in-the-middle can be:
› Local: spyware on end-user’s PC
› Remote: phishing website
E-Banking Fraud Schemes
Local man-in-the-middle attack
› “Man-in-the-browser”, “Local session riding”
› General procedure
› Infect system with Banking Trojan
› Hijack successfully authenticated session
› Insert or modify fraudulent transactions
1: “John” 1: “John” 1: “John”
End-user 2: OTP
Browser
2: OTP Banking 2: OTP E-banking
“John” 3: “$500 to 3: “$500 to
Trojan
3: “$5000 server
Bob” Bob” to Bill”
End-user’s computer
E-Banking Fraud Schemes
Remote man-in-the-middle attack
› General procedure:
› Redirect traffic to rogue website
› Using common phishing techniques: e-mail, pharming, …
› Act as proxy between end-user and real banking website
› Keep authenticated session alive and modify transaction data
› Reported cases:
› Dutch and Swedish retail banks (March 2007):
› Infostealer.Banker.C and phishing website
› Damage: 4 customers, unknown amount
› Belgian retail bank (May/June 2007)
› Damage: 3 customers, ~ 10 000 euro
E-Banking Fraud Schemes
The Cybercrime Black Market
Organization (1/2)
Money mule
Coder
recruiter
Money mule
On-line forum Card
(IRC, web) skimmer
Spammer
Exploiter
Website
Botnet
designer
Herder
E-Banking Fraud Schemes
Organization (2/2) – money mules
› Problem of phisher:
› E-banking system may not allow money transfers to foreign
accounts
› Solution:
› Phisher recruits “money mules” with bank account in country of
targeted bank
› Phisher transfers money to bank account of mule
› Mule transfers money to phisher (e.g. Western Union,
Moneygram)
› Money mule recruitment
› Regular job adversitement channels
› “Financial service manager”, “shipping manager”, “private
financial retreiver”, etc.
› More information: http://bobbear.co.uk/
E-Banking Fraud Schemes
Fraud Accounting
› Cost of phishing attack:
› Phishing e-mail + phishing website: $5
› Spam list: $8
› Botnet for sending out spam during 6 hours: $30
› Hacked server to host phishing website: $10
› Valid DNS-name: $10
› Total cost: $63
› Profit from phishing attack
› Option 1: selling stolen banking credentials
› 20 accounts: $200 - $2000
› Profit: $137 - $1,937
› Option 2: cashing money via money mule
› $10,000 on account; 50% for money mule; 50% rip-off rate
› Income: $2500
E-Banking Fraud Schemes
Defense Mechanisms
Computer Malware & Countermeasures
One-time passwords (1/3)
› Strengths
› Render compromised end-user credentials less valuable for
adversary (only valid once and during limited amount of time)
› Limit amount of time between collection and exploitation steps of
phishing attack
› Break down the traditional economic model of phishing attacks
› Phishing economy: specialization means trading
› Trading credentials takes time
› One-time passwords are invalid before used
E-Banking Fraud Schemes
One Time Passwords (Response Only)
Encryption
DP Secret
Time-Based Response
Application
Userid = A
Password = OTP
Internet
3DES
?
= 342601
Digipass 3DES
Serial Number
= SN DP Secret
A – SN – DP Secret
“.dpx file”
B – SN’ – DP Secret’
Electronic signatures (1/6)
› One-time passwords provide only end-user authentication
› Server only knows that genuine end-user is present at log-on
› Server cannot detect modifications or injections after log-on
1: “John” 2: “John”
3: OTP 4: OTP
End-user E-banking
6: “Error” MITM 5: “OK”
“John” server
7: “$5000 to Bill”
› Electronic signatures provide transaction authentication
› Server can detect and reject unauthenticated transactions or
changes to transactions
E-Banking Fraud Schemes
Data Signature (Electronic Signature, MAC)
› Electronic signatures provide transaction authentication
› Server can detect and reject unauthenticated transactions or
changes to transactions
MAC
3DES
Field A
DP Secret
Field B
+
Field C
Data Signature (Electronic Signature, MAC)
Userid = A Application Field A
Field A
Field B
Field B
Field C
Field C
Password = MAC Internet +
3DES
MAC ?
MAC
Digipass =
Serial Number 3DES
= SN
Field A DP Secret
+ Field B
A – SN – DP Secret
Field C “.dpx file”
B – SN’ – DP Secret’
Electronic signatures
› Conflict: security vs. user-friendliness
› Solution: security policies
› Policies determine when / what has to be signed
› Implemented at server-side flexible
› Possible criteria
› Amount of money (how large?)
› Beneficiary bank account number (used previously?)
› Determine risk of transaction
› Result
› Electronic signature only required in case of high-risk transactions
› Paying tax or bills (e.g. electricity, water, phone, ...): no signature
› Transferring to other accounts of end-user (e.g. savings account): no
signature
› Facilitates envelope transactions (many-in-one)
› “Risk-based Transaction Authentication”
E-Banking Fraud Schemes
End-user education
› The end-user remains the weakest link in the security
chain
› Train end-users in “street smarts”:
› Do NOT respond to emails asking to log-on
› Install software from a trustworthy source only
› DO type URLs or use bookmarks
› DO motivate end-users to install a firewall and anti-virus scanner
› E.g. Barclays UK & F-Secure
› E.g. Firstrade Securities US & Trend Micro
› Follow your own guidelines!
› For example, many organizations fail to renew SSL-certificates
before they expire!
E-Banking Fraud Schemes
Conclusion
› Sophistication of e-banking fraud schemes is increasing
› Phishing
› Alternative delivery channels: not only e-mail
› Targeted phishing
› Spyware
› Better hiding techniques; rootkit technology likely to be used more
› Better stealing techniques
› Need for strong authentication mechanisms is increasing
› Safe solutions are possible
› Combine end-user authentication and transaction authentication
› Usability must be taken into account to prevent social engineering
E-Banking Fraud Schemes